b'MAY 9, 2006\n  AUDIT REPORT\n\n\n\n\n                                                      OFFICE OF AUDITS\n\n\n\n\n NASA SHOULD IMPROVE EMPLOYEE AWARENESS OF\n  REQUIREMENTS FOR IDENTIFYING AND HANDLING\n   SENSITIVE BUT UNCLASSIFIED INFORMATION\n\n\n\n                                           OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                                      National Aeronautics and\n                                                          Space Administration\n\n\n\n\n  REPORT NO. IG-06-010-REDACTED (ASSIGNMENT NO. A-04-013-00)\n\x0c\x0cMAY 9, 2006\n\n\n\n\n                                                                                                  IN BRIEF\n\n             NASA SHOULD IMPROVE EMPLOYEE AWARENESS OF\n              REQUIREMENTS FOR IDENTIFYING AND HANDLING\n               SENSITIVE BUT UNCLASSIFIED INFORMATION\n                                                                                                 The Issue\n\n  The National Aeronautics and Space Act of 1958 (Space Act) requires NASA to \xe2\x80\x9cprovide\n  for the widest practicable and appropriate dissemination of information concerning its\n  activities and the results thereof.\xe2\x80\x9d This must be accomplished in a manner consistent\n  with U.S. laws and regulations, Federal information policy, intellectual property rights,\n  and technology transfer protection requirements. NASA faces many challenges in\n  balancing its Space Act mandate with the requirements to protect certain classes of\n  information that are not suitable for dissemination to the public. Crucial to the success of\n  meeting those challenges is the need for NASA to (1) ensure that its policies and\n  procedures for sensitive but unclassified (SBU)1 information are complete and (2) create\n  and maintain employee awareness of their responsibilities to safeguard SBU information.\n\n                                                                                                      Results\n\n  Overall, NASA\xe2\x80\x99s policies and procedures for handling SBU information are consistent\n  with Federal laws and regulations. Prior to November 2005, the Agency\xe2\x80\x99s primary\n  Security Program document did not cover all the types of SBU information that NASA\n  uses, nor were SBU requirements in the Security Program document cross-referenced to\n  other documents that contained additional requirements for specific types of SBU\n  information. Revisions incorporated into the November 2005 version of NPR 1600.1,\n  \xe2\x80\x9cNASA Security Program Procedural Requirements w/Change 1 (11/08/2005),\xe2\x80\x9d assuaged\n  our concerns about the adequacy of the Agency\xe2\x80\x99s policies and procedures for SBU\n  information. However, we found that NASA lacks a comprehensive SBU training\n  program for civil servants and contractors on the requirements for protecting SBU\n  information.\n\n\n\n  1\n      Until November 2005, NASA used the term Administratively Controlled Information, or ACI, to identify\n      official information of a sensitive but unclassified nature that needed to be protected against inappropriate\n      disclosure. Such information officially became Sensitive But Unclassified on November 8, 2005, when\n      NASA issued its revised NASA Procedural Requirements (NPR) 1600.1, \xe2\x80\x9cNASA Security Procedural\n      Requirements w/Change 1.\xe2\x80\x9d\n\n\n\n\n  REPORT NO. IG-06-010-R\n\x0c                                                                                     IN BRIEF\n\n\n\n\nManagement Action\n\nIn November 2005, NASA revised the requirements for SBU information. Specifically,\nthe new policies and procedures increased the number of SBU information types\nrecognized by NASA and cross-referenced several types of SBU information to other\ndocuments that contained additional requirements. Although the new requirements\nemphasized the importance of establishing and maintaining an adequate level of\neducation and awareness to safeguard and prevent unauthorized disclosure of SBU\ninformation, they did not detail a comprehensive SBU training program. Therefore, we\nare recommending that NASA establish an Agency-wide comprehensive training\nprogram that specifies the policies and procedures for identifying and handling SBU\ninformation.\n\nIn response to a draft of this report, the Assistant Administrator, OSPP, concurred with\nthe recommendation and provided information on corrective actions planned (see\nAppendix D). We consider management\xe2\x80\x99s comments to be responsive and the\nrecommendation resolved, although it will remain open until all actions have been\ncompleted and verified. No response to this final report is required.\n\n\n\n\nii                                                               REPORT NO. IG-06-010-R\n\x0cMAY 9, 2006\n\n\n\n\n                                                           Contents\n\n  INTRODUCTION\n     Background __________________________________________ 1\n     Objectives ___________________________________________ 1\n     Meta-Data Report _____________________________________ 2\n\n  RESULTS\n     Finding A: Policies and Procedures Covering SBU-Information ___ 3\n     Finding B: Comprehensive SBU-Information Training Is\n                 Needed ___________________________________ 6\n\n  APPENDIX A\n     Scope and Methodology _______________________________ 11\n     Review of Internal Controls _____________________________ 12\n     Prior Coverage_______________________________________ 12\n\n  APPENDIX B\n     Redacted ___________________________________________ \xe2\x80\x94\n\n\n  APPENDIX C\n     Comparison of Federal and Selected Agencies\xe2\x80\x99 SBU Requirements\n       with NASA\xe2\x80\x99s ______________________________________ 14\n\n  APPENDIX D\n     Management Comments _______________________________ 31\n\n  APPENDIX E\n     Report Distribution ___________________________________ 33\n\n\n\n\n  REPORT NO. IG-06-010-R\n\x0c\x0cMAY 9, 2006\n\n\n\n\n                                                                        INTRODUCTION\n\n\nBackground\n\n  NASA generates, receives, disseminates, and maintains an enormous amount of\n  information, much of which is of an unclassified and nonsensitive nature with few\n  restrictions on its use and dissemination. The security of this information is the direct,\n  immediate, and inherent responsibility of all NASA personnel, contractors, and others\n  granted access to it.\n\n  NASA must comply with several Federal laws and regulations that address disseminating\n  information. These laws and regulations can be confusing, however, because their\n  definitions of SBU information are not precise and some laws promote dissemination\n  while other laws restrict or prohibit dissemination. For example, the Computer Security\n  Act of 1987 defines sensitive information as any information for which the loss, misuse,\n  or unauthorized access to, or modification of, could adversely affect the national interest\n  or the conduct of Federal programs, or the privacy to which individuals are entitled but\n  has not been authorized to be kept secret. However, the Act does not specify the types of\n  information that are included in sensitive information. Whereas the Computer Security\n  Act requires protection of information such as personal and proprietary information from\n  unauthorized disclosure, the Space Act promotes dissemination and requires the widest\n  practicable and appropriate dissemination of information about NASA\xe2\x80\x99s activities.\n\n  Other laws restrict or prohibit dissemination of SBU information. For example, the\n  Privacy Act prohibits dissemination of an individual\xe2\x80\x99s personal information without prior\n  written consent of the individual. In addition, the Freedom of Information Act (FOIA)\n  requires that agencies make information available to the public but exempts from\n  disclosure internal personnel rules and practices, information specifically exempted by\n  other statutes, trade secrets, personnel and medical files, and law enforcement records.\n  The Homeland Security Act of 2002, which modifies FOIA, exempts from disclosure\n  critical infrastructure information. Export control regulations restrict exportation of\n  technical data relating to the Space Shuttle, satellites, and the International Space Station.\n\n\nObjectives\n\n  The overall objective of our audit was to determine whether NASA established adequate\n  controls that would protect SBU information. Specifically, we sought to determine\n  whether NASA had (1) developed and issued policies and procedures that adequately\n  define, identify, and protect all sensitive information with an emphasis on scientific and\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                       1\n\x0c                                                                                               INTRODUCTION\n\n\n\n technical sensitive information; (2) assigned accountability for the security of sensitive\n information; (3) established policies and procedures to properly screen sensitive\n information for possible inclusion in formal classification schemes;2 and (4) established\n adequate policies and procedures for education and training to create user awareness of\n the need to recognize and properly safeguard sensitive information. See Appendix A for\n details of the audit\xe2\x80\x99s scope and methodology, our review of internal controls, and a list of\n prior coverage.\n\n\nMeta-Data Report\n\n As part of our review of NASA\xe2\x80\x99s policies and procedures to protect SBU information, we\n sampled NASA documents available on the Internet and found that they contained meta-\n data3 that could be considered SBU information. In December 2005, we issued a report\n to the NASA Chief Information Officer and recommended that NASA (1) develop\n policies and procedures to define, recognize, and protect meta-data that may be contained\n in electronic documents, and (2) provide user awareness training on the meta-data\n policies and procedures developed pursuant to the preceding recommendation. See\n Appendix B for a copy of the report. [Appendix B has been redacted from this version.]\n\n\n\n\n 2\n     During the course of the audit, we dropped objective 3 because it was beyond the scope of the planned\n     work.\n 3\n     Meta-data is data that describes other data. For information purposes, meta-data refers to the data\n     generated when a Microsoft Word, Excel, or PowerPoint document is created or revised that describes\n     how, when, and by whom a particular set of data was collected and how the data was formatted.\n\n\n\n\n 2                                                                              REPORT NO. IG-06-010-R\n\x0cRESULTS\n\n\n\n\n                                                     FINDING A: POLICIES AND\n                                                       PROCEDURES COVERING\n                                                           SBU INFORMATION\n\n          Although there are no Government-wide standards for defining what constitutes\n          SBU information, NASA\xe2\x80\x99s policies and procedures are consistent with Federal\n          laws and selected agencies\xe2\x80\x99 requirements for SBU information. The Agency has\n          effectively assigned accountability for the security of sensitive information to\n          OSPP. However, prior to November 2005, NASA\xe2\x80\x99s policies and procedures did\n          not identify all the types of SBU information that NASA uses, and the various\n          policies and procedures regulating security and management of SBU information\n          Agency-wide were not cross-referenced to each other. On November 8, 2005,\n          NASA revised its Agency Security Program, including the policies and\n          procedures covering SBU information. The revisions assuaged our concerns\n          about the adequacy of the Agency\xe2\x80\x99s policies and procedures for SBU information.\n\n\nFederal Laws and Regulations and Selected Agencies\xe2\x80\x99 SBU\n  Requirements\n\n  With the exception of certain types of information protected by statute, standard criteria\n  and terminology defining the types of information warranting designation as SBU does\n  not exist within the Federal government. To help us identify SBU-related laws,\n  regulations, and other Federal agencies\xe2\x80\x99 directives that could apply to NASA, we\n  contracted with the Federal Research Division (FRD) of the Library of Congress. FRD\n  gave us a report that set forth the statutes, regulations, and Executive Branch directives\n  that define and govern access to SBU information. We compared the SBU requirements\n  identified in the FRD report with NASA\xe2\x80\x99s and found that the Agency has in place\n  policies and procedures that are consistent with Federal laws and selected agencies\xe2\x80\x99\n  requirements. Appendix C shows the comparison.\n\n\nAccountability for SBU Information\n\n  The Assistant Administrator for OSPP is responsible for overseeing Agency-wide\n  implementation and integration of NPR 1600.1, \xe2\x80\x9cNASA Security Program Procedural\n  Requirements w/Change 1,\xe2\x80\x9d which establishes Agency-wide requirements for security\n  program implementation. Further, the NPR designates that the Assistant Administrator\n  for OSPP is to provide direction and oversight for an Agency-wide administrative\n  security program that protects SBU information in NASA\xe2\x80\x99s custody. In addition to\n  OSPP, the Office of the Chief Information Officer and other Headquarters offices also\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                       3\n\x0c                                                                                           RESULTS\n\n\n\n have responsibility for specific types of SBU information. For example, export control\n information is considered SBU information, and NPR 2190.1, \xe2\x80\x9cNASA Export Control\n Program,\xe2\x80\x9d designates the Assistant Administrator of the Office of External Relations as\n responsible for assessing and ensuring that all NASA programs, activities, and exports\n comply with U.S. export control laws and regulations.\n\n\nTypes of SBU Information NASA Uses\n\n In its November 2005 revision of NPR 1600.1, the Agency provided extensive\n descriptions of the types of SBU information NASA uses. With no Government-wide\n standard criteria identifying SBU information and no terminology defining types of SBU\n information, each individual agency is left to designate the types of information it\n considers to be SBU information. Until November 2005, NASA had designated eight\n types of information as SBU in NPR 1600.1, but the list did not include all types of SBU\n information that NASA used. For example, it did not include\n\n     \xe2\x80\xa2       source selection and bid and proposal information;\n\n     \xe2\x80\xa2       Small Business Innovative Research (SBIR) data, limited-rights data, and\n             Restricted computer software received in the performance of NASA contracts;\n\n     \xe2\x80\xa2       information subject to the Privacy Act;\n\n     \xe2\x80\xa2       systems security data revealing the security posture of a system; or\n\n     \xe2\x80\xa2       information concerning or relating to private entity trade secrets or confidential\n             commercial or financial information received by a NASA employee in the course\n             of government employment or official duties.\n\n The November 2005 revision not only listed all of these types of information as SBU, it\n further classified SBU information into three general categories:\n\n         \xe2\x80\xa2    Information subject to FOIA: NASA designated as SBU any information\n              originated within or furnished to NASA that falls under one or more of the\n              exemption criteria of the Freedom of Information Act (5 U.S.C. \xc2\xa7552).\n\n         \xe2\x80\xa2    Information exempt or restricted from disclosure by statute, regulations,\n              contract, or agreement: NASA provides eight examples of this category of SBU,\n              such as, information subject to export control under International Traffic in\n              Arms Regulations (ITAR) or Export Administration Regulations (EAR) and\n              information disclosing a new invention in which the Federal Government owns\n              or may own a right, title, or interest.\n\n\n\n\n 4                                                                     REPORT NO. IG-06-010-R\n\x0cRESULTS\n\n\n\n       \xe2\x80\xa2   Information that a designated NASA official determines to be unusually\n           sensitive: NASA provides 13 examples of this category of SBU, such as\n           sensitive scientific and technical information, and NASA information\n           technology (IT) internal systems data revealing infrastructure used for servers,\n           desktops, and networks.\n\n  With these changes, NASA has increased the types of SBU information described in\n  NPR 1600.1 from 8 to 22.\n\n\nCross-Reference to Other Documents Containing Additional\n  Requirements Related to SBU Information\n\n  Within NASA, management of SBU information is regulated through multiple Agency\n  organizations and through multiple NASA regulations and directives. Although\n  NPR 1600.1 is NASA\xe2\x80\x99s primary reference document for requirements covering SBU\n  information, until November 2005, NPR 1600.1 did not cross-reference other Agency\n  documents that contained additional SBU information requirements. The current NPR,\n  however, notes that requirements for handling sensitive scientific and technical\n  information are described in NASA Policy Directive (NPD) 2200.1, \xe2\x80\x9cManagement of\n  NASA Scientific and Technical Information (STI),\xe2\x80\x9d and NPR 2200.2, \xe2\x80\x9cRequirements for\n  Documentation, Approval, and Dissemination of NASA Scientific and Technical\n  Information,\xe2\x80\x9d and that requirements for disposing of IT systems that contain SBU\n  information are described in NPR 2810.1, \xe2\x80\x9cSecurity of Information Technology.\xe2\x80\x9d\n  Further, NPR 1600.1 now notes that the requirements in NPR 2810.1, regarding the need\n  to (1) certify and accredit IT systems that store SBU information and (2) store and control\n  laptop computers and other media containing SBU information, must be met.\n\n\nCorrective Action Taken\n\n  Revisions incorporated into the 2005 NPR 1600.1 adequately address the issues that we\n  communicated to OSPP officials during our audit regarding (1) the incomplete listing of\n  the types of SBU information that NASA uses and (2) the lack of cross-referencing to\n  other documents that contain additional requirements for specific types of SBU\n  information. Therefore, we are not making any recommendations in those areas.\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                      5\n\x0c                                                                                     RESULTS\n\n\n\n\n                                               FINDING B: COMPREHENSIVE\n                                                       SBU INFORMATION\n                                                             TRAINING IS\n                                                                 NEEDED\n\n        While NASA expanded and clarified the Agency\xe2\x80\x99s requirements with regard to SBU\n        information in November 2005, the Agency did not establish a comprehensive\n        training program to educate civil servants and contractors about Agency\n        requirements for identifying and handling SBU information. The November 2005\n        requirements state that the originators of information are required to identify it as\n        SBU or not and protect it accordingly. Without a comprehensive training program,\n        however, SBU information could be inadvertently disseminated, and that\n        dissemination could result in harm to a person\xe2\x80\x99s privacy or welfare, have an adverse\n        impact on economic or industrial institutions, or compromise programs or operations\n        essential to safeguarding our national interests.\n\n\nFederal Laws and NASA Requirements on SBU Information\n  Training\n\n Federal Laws. Two laws specifically require training for Federal employees and\n contractor personnel in securing SBU information. The first law, the Computer Security\n Act of 1987, requires that all persons\xe2\x80\x94including contractors\xe2\x80\x94involved in management,\n use, or operation of Federal computer systems that contain sensitive information receive\n periodic training in computer security awareness and accepted computer security\n practice. The second law, the Federal Information Security Management Act of 2002,\n requires that an agency\xe2\x80\x99s Chief Information Officer develop and maintain information\n security programs that include security awareness training to inform Federal personnel\xe2\x80\x94\n including contractors\xe2\x80\x94of information security risks associated with their activities as\n well as their responsibilities in complying with policies to reduce these risks.\n\n In addition to the preceding Federal laws, the Federal Managers\xe2\x80\x99 Financial Integrity Act\n of 1982 (FMFIA) states that agencies must establish internal administrative controls in\n accordance with the standards prescribed by the Comptroller General, which are\n published in \xe2\x80\x9cStandards for Internal Control in the Federal Government\xe2\x80\x9d and set out\n management control standards for all aspects of an agency\xe2\x80\x99s operation. One of the\n standards of internal control\xe2\x80\x94 control activities\xe2\x80\x94addresses appropriate policies,\n procedures, techniques, and mechanisms that should be in place to manage agency\n activities and identifies training is a necessary component of a good internal control\n program.\n\n\n\n\n 6                                                               REPORT NO. IG-06-010-R\n\x0cRESULTS\n\n\n\n  NASA Requirements. NPD 1600.2D, \xe2\x80\x9cNASA Security Policy,\xe2\x80\x9d revalidated\n  February 1, 2006, offers a generalized statement that NASA provides security and\n  protection for, among other things, information. It further notes that securing and\n  protecting is to be accomplished by methods including undertaking a security education\n  and awareness program designed to solicit the support and involvement of all Agency\n  personnel. Training offered by NASA falls into two categories:\n\n     \xe2\x80\xa2    The Agency\xe2\x80\x99s annual IT security training, required at all Centers and NASA HQ,\n          provides minimal details about SBU information. The training defines the term\n          and reminds employees that SBU information, such as trade secrets, proprietary\n          information, financial information, and personnel and medical records, must be\n          properly marked and kept in a secured location when not under the supervision of\n          an authorized person. However, the section devoted to SBU information lacks\n          examples of proprietary information, fails to explain the types of financial\n          information to consider as SBU, and does not address inventions, bid and\n          proposal or source selection information, software, or SBIR data.\n\n     \xe2\x80\xa2    NASA Centers\xe2\x80\x99 additional online security training includes guidance about\n          managing SBU information. For example, NASA HQ and Kennedy Space Center\n          both offer separate training modules that provide specific guidance on protections\n          applicable to some of the subcategories of SBU information, such as export\n          control, technical information exchange, and the document availability\n          authorization process that determines whether scientific and technical information\n          can be released. Marshall offers comprehensive training for each type of SBU\n          information. The training module, \xe2\x80\x9cSafeguarding MSFC\xe2\x80\x99s Administratively\n          Controlled Information,\xe2\x80\x9d provides detailed explanations about information\n          protected by export regulations and FOIA; inventions; source selection,\n          proprietary, and privileged information; software; embargoed information; and\n          SBIR data. The module also addresses marking and safeguarding and specifies\n          consequences for not protecting SBU information.\n\n\nTraining Program for Protecting SBU Information\n\n  The revised NPR 1600.1 established the NASA Security Education and Training, and\n  Awareness (SETA) Program. This program emphasizes that management and employee\n  involvement are essential to an effective security program. Specifically, the SETA\n  Program requires the following:\n\n     \xe2\x80\xa2    The Center Director must ensure that adequate procedures are in place whereby\n          all NASA employees and contractor personnel are briefed annually regarding\n          Center security program responsibilities.\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                   7\n\x0c                                                                                      RESULTS\n\n\n\n     \xe2\x80\xa2   Within 20 days of their arrival, a new NASA employee/contractor must receive an\n         initial orientation briefing to acquaint them with local security procedures and\n         employee responsibilities to protect personnel and Government property from\n         theft, loss, or damage.\n\n     \xe2\x80\xa2   The responsible supervisor must ensure that job-related, facility-oriented security\n         education, and awareness instructions or training for newly assigned personnel are\n         timely.\n\n The November 2005 NPR 1600.1 recognizes that the effectiveness of an individual in\n meeting their security responsibilities is proportional to the degree to which the\n individual understands those responsibilities. It assigns the responsibility for providing\n training about SBU information to the Center Directors and an individual\xe2\x80\x99s manager and\n supervisor. However, the NPR does not ensure that the training being given must be\n comprehensive, in that it does not require that the training cover the policies and\n procedures for identifying, marking, safeguarding, storing, accessing, disclosing,\n protecting, transmitting, destroying, and imposing administrative violations and sanctions\n for all the types of SBU information that NASA handles. As written, the training\n requirements allow each manager, supervisor, and Center Director to determine which\n aspects of the Agency\xe2\x80\x99s SBU information requirements and the types of SBU information\n to include in its training. As a result, each Center\xe2\x80\x99s training will be different. For\n example, a Center Director could choose to only present the marking and safeguarding\n requirements for selected SBU types of information, such as export control, proprietary,\n FOIA, and SBIR data, while another could describe the types of SBU information that\n NASA uses and cover all the Agency\xe2\x80\x99s requirements with regard to SBU information,\n such as marking, storage, disclosure, protection, transmittal, and destruction.\n\n\nConclusion\n\n By establishing the SETA Program, NASA has taken a positive step toward requiring that\n NASA employees and contractors be aware of the policies and procedures for managing\n and protecting SBU information. However, because originators of information are\n required to identify and protect SBU information, they must understand what SBU\n information is and how to prevent its inadvertent dissemination. If NASA employees and\n contractor personnel are unaware of what information needs protecting or are confused\n about how to protect it, SBU information could be inappropriately distributed, causing\n harm to the Agency as well as its projects and programs. Until NASA establishes a\n comprehensive, Agency-wide training program that covers SBU information, it has no\n assurance that the training provided to NASA employees and contractors covers a\n common baseline that incorporates an appropriate range of NASA policies and\n procedures for identifying and handling SBU information.\n\n\n\n\n 8                                                                REPORT NO. IG-06-010-R\n\x0cRESULTS\n\n\n\nRecommendation, Management\xe2\x80\x99s Response, and Evaluation of\n  Management\xe2\x80\x99s Response\n\n  We recommend that the Assistant Administrator for the Office of Security Program\n  Protection establish an Agency-wide comprehensive training program, to be\n  implemented at each Center and HQ, that specifies the policies and procedures for\n  identifying and handling SBU information.\n\n  Management\xe2\x80\x99s Response. Management concurred. The Office of Security Program\n  Protection will add SBU information to their Web-site no later than May 12, 2006. The\n  SBU information will provide employees and contractors access to the Awareness and\n  Training information they need for identifying, marking, safeguarding, accessing,\n  disclosing, and transmitting the information. In addition, OSPP will develop an Agency-\n  wide comprehensive training program for SBU, which will outline the minimum policies\n  and procedures that have to be covered by each Center in their SBU training and\n  briefings. The training information will be placed on the System for Administration,\n  Training, and Educational Resources for NASA (SATERN) by August 1, 2006.\n\n  Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s actions are responsive. The\n  recommendation is resolved, but will remain undispositioned and open for reporting\n  purposes until all corrective actions have been completed and we have reviewed the\n  supporting documentation.\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                9\n\x0c\x0cAPPENDIXES\n\n\n\n\n                                                                          APPENDIX A\n\n\nScope and Methodology\n\n  We performed work for this audit at Goddard Space Flight Center, HQ, Jet Propulsion\n  Laboratory, Johnson Space Center, Kennedy Space Center, and Marshall Space Flight\n  Center. Specifically, we interviewed personnel directly involved with export control,\n  scientific and technical information, inventions, FOIA, Privacy Act, procurement, and\n  security. In addition, we examined various SBU-related documentation generated by\n  NASA Headquarters and the selected Centers.\n\n  To assess personnel awareness of SBU information, we analyzed various NASA\n  requirements for identifying and protecting SBU information. The requirements\n  reviewed included those for export control, scientific and technical information,\n  inventions, FOIA, Privacy Act, procurement, security, counterintelligence, software,\n  small business and innovative research, and information technology security.\n\n  To help us identify SBU-related laws, regulations, and agency directives that could apply\n  to NASA, we contracted with the Federal Research Division (FRD) of the Library of\n  Congress to give us a report that set forth the statutes, regulations, and Executive Branch\n  directives that define and govern access to SBU information. We compared the SBU\n  requirements identified in the FRD report with NASA\xe2\x80\x99s.\n\n  We reviewed the last two NASA Export Control Program Annual audits at the selected\n  Centers and followed up on the status of open recommendations.\n\n  We evaluated SBU-related training, including training accessible online, available to\n  NASA employees and interviewed employees involved with SBU-related training at HQ\n  and selected Centers. In addition, we examined new employee orientation training given\n  at HQ and the selected Centers.\n\n  As part of our review of NASA\xe2\x80\x99s policies and procedures to protect SBU information, we\n  sampled NASA documents available on the Internet and found that they contained\n  meta-data that could be considered SBU. In December 2005, we issued a report to the\n  NASA Chief Information Officer and recommended that NASA develop policies and\n  procedures to define, recognize, and protect meta-data that may be contained in electronic\n  documents. Further, we recommended that NASA provide user awareness training on the\n  meta-data policies and procedures developed pursuant to the preceding recommendation.\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                   11\n\x0c                                                                                     APPENDIX A\n\n\n\n  We performed the audit from July 2004 through March 2006. This audit was performed\n  in accordance with generally accepted government auditing standards.\n\n  Use of Computer-Processed Data. We did not use computer-processed data to perform\n  this audit.\n\n\nReview of Internal Controls\n\n  We reviewed policies and procedures relating to SBU information and for training\n  personnel to recognize and protect such information. NASA\xe2\x80\x99s policies and procedures\n  with regard to SBU information are consistent with Federal laws and selected agencies\xe2\x80\x99\n  SBU requirements. The Agency has effectively assigned accountability for the security\n  of sensitive information to OSPP. Revisions incorporated into NPR 1600.1, \xe2\x80\x9cNASA\n  Security Procedural Requirements w/Change 1,\xe2\x80\x9d issued on November 8, 2005,\n  adequately addressed the issues that we had communicated to OSPP officials regarding\n  (1) the incomplete listing of the types of SBU information that NASA uses and (2) the\n  lack of cross-referencing to other documents that contain additional requirements for\n  specific types of SBU information.\n\n  \xe2\x80\x9cStandards for Internal Control in the Federal Government\xe2\x80\x9d identifies training as an\n  important element in creating a good internal control program. The lack of a\n  comprehensive training program with regard to SBU information leaves NASA officials\n  unable to assure that SBU information NASA controls is marked and handled in a\n  manner consistent with NASA policies and procedures and may result in inconsistencies\n  and errors regarding management of SBU information. We recommended that OSPP\n  establish an Agency-wide comprehensive training program that specifies the policies and\n  procedures for identifying and handling SBU information.\n\n\nPrior Coverage\n\n  The Government Accountability Office (GAO) and the NASA Office of Inspector\n  General (OIG) have issued 8 reports of particular relevance to the subject of this report.\n  Unrestricted GAO reports can be accessed over the Internet at http://www.gao.gov.\n  Unrestricted NASA OIG reports can be accessed at\n  http://www.hq.nasa.gov/office/oig/hq/audits/reports/FY06/index.html\n\n  Government Accountability Office\n\n         \xe2\x80\x9cManaging Sensitive Information: Departments of Energy and Defense Policies\n         and Oversight Could Be Improved,\xe2\x80\x9d GAO-06-369, March 7, 2006\n\n\n\n\n  12                                                                REPORT NO. IG-06-010-R\n\x0cAPPENDIX A\n\n\n\n        \xe2\x80\x9cManaging Sensitive Information: DOE and DOD Could Improve Their Policies\n        and Oversight,\xe2\x80\x9d GAO-06-531T, March 14, 2006\n\n        \xe2\x80\x9cExport Controls: Post-Shipment Verification Provides Limited Assurance That\n        Dual-Use Items Are Being Properly Used,\xe2\x80\x9d GAO-04-357, January 12, 2004\n\n  NASA Office of Inspector General\n\n        \xe2\x80\x9cNASA\xe2\x80\x99s Policies for Protecting Technology Exported to Foreign Entities,\xe2\x80\x9d\n        IG-06-006, March 14, 2006\n\n        Letter to Congress on NASA\xe2\x80\x99s Export Controls, February 23, 2006\n\n        \xe2\x80\x9cNASA Lacks Procedures to Define, Recognize, and Protect Meta-Data,\xe2\x80\x9d\n        A-04-013, December 19, 2005\n\n         \xe2\x80\x9cCyber Security: The Status of Information Security and the Effects of the\n        Federal Information Security Management Act (FISMA) at NASA,\xe2\x80\x9d Statement of\n        the Honorable Robert W. Cobb, NASA Inspector General, June 24, 2003\n\n        \xe2\x80\x9cGoddard Space Flight Center\xe2\x80\x99s Compliance with Export Laws and Regulations,\xe2\x80\x9d\n        IG-02-016, May 14, 2002\n\n\n\n\n  REPORT NO. IG-06-010-R                                                            13\n\x0c                                                                                                 APPENDIX C\n\n\n\n\n    Comparison of Federal and Selected Agencies\xe2\x80\x99 SBU\n                           Requirements with NASA\xe2\x80\x99s\n\n\nFederal and Selected Federal Agencies\xe2\x80\x99                         NASA SBU Requirements5\n         SBU Requirements4\n                Executive Orders (EO)\n\xe2\x80\xa2      EO 12958 (April 17, 1995), \xe2\x80\x9cprescribes a         \xe2\x80\xa2   NPR 1600.1, Chapter 5, \xe2\x80\x9cClassified National\n       uniform system for classifying, safeguarding,        Security and Sensitive But Unclassified\n       and declassifying national security                  (SBU) Information Management\xe2\x80\x9d\n       information.\xe2\x80\x9d\n\xe2\x80\xa2      EO 13292 (March 25, 2003), \xe2\x80\x9cprescribe a\n       uniform system for classifying, safeguarding,\n       and declassifying national security\n       information, including information relating to\n       defense against transnational terrorism.\xe2\x80\x9d\n               White House Memoranda\n\xe2\x80\xa2      Memorandum (March 19, 2002), from the            \xe2\x80\xa2   NPR 1600.1, Section 5.24.2.1(c).(2-12),\n       White House Chief of Staff to the heads of all       clarifies FOIA exemptions to include\n       executive departments and agencies regarding         information determined to be unusually\n       the safeguarding and protection of sensitive         sensitive by a designated NASA official such\n       homeland security information directs                as Center maps, security measures for\n       recipients to \xe2\x80\x9cundertake an immediate                infrastructure, and information that could\n       reexamination of current measures for                constitute an indicator of U.S. government\n       identifying and safeguarding\xe2\x80\x9d Government             intentions, capabilities, operations, or\n       information \xe2\x80\x9cregarding weapons of mass               activities or otherwise threaten operations\n       destruction, as well as other information that       security.\n       could be misused to harm the security of our\n       nation and the safety of our people.\xe2\x80\x9d Further,\n       they should carefully consider Freedom of\n       Information Act (FOIA) exemptions.\n\n\xe2\x80\xa2      Pursuant to the White House Memorandum, a\n       joint memorandum from the Acting Director\n       of the Information Security Oversight Office\n       and the Co-Directors of the Justice\n       Department\xe2\x80\x99s Office of Information and\n       Privacy reiterates the above memorandum to\n       control sensitive information by giving full\n       and careful consideration to all FOIA\n       exemptions.\n\n\n4\n    Federal and selected agencies\xe2\x80\x99 SBU requirements were taken from a report prepared by the Federal\n    Research Division of the Library of Congress for the NASA OIG. The report is dated August 2004.\n5\n    Information is current as of February 2006.\n\n\n\n\n14                                                                            REPORT NO. IG-06-010-R\n\x0cAPPENDIX C\n\n\n\n\n   Federal and Selected Federal Agencies\xe2\x80\x99                      NASA SBU Requirements5\n            SBU Requirements4\n     Presidential/National Security Directives\n    (PD/NSC) and National Security Decision\n                Directives (NSDD)\n  \xe2\x80\xa2 PD/NSC 24 (November 16, 1977) protects              \xe2\x80\xa2   NPR 2810.1, Section 4.11, provides detailed\n     unclassified information that would be useful          guidance for using encryption for classified\n     to an adversary as the information is                  and unclassified information.\n     transmitted by and between Government\n     agencies and contractors. References the           \xe2\x80\xa2   NPR 2810.1, Section 4.12.1; provides\n     need for communications security                       guidance on National security information.\n     (COMSEC).\n                                                        \xe2\x80\xa2   NPR 1600.1, Section 5.15, requires users of\n  \xe2\x80\xa2   NSDD-189 (September 21, 1985) states that\n                                                            COMSEC material to follow the NASA\n      \xe2\x80\x9cto the maximum extent possible, the\n                                                            Central Office of Record Standard Operating\n      products of fundamental research remain\n                                                            Procedures and the National Security\n      unrestricted.\xe2\x80\x9d\n                                                            Telecommunications Systems Security\n  \xe2\x80\xa2   NSDD-145 (September 17, 1984) establishes             Instruction 4005.\n      initial objectives of policies, and an\n      organizational structure to guide the conduct     \xe2\x80\xa2   NPR 2200.2B, Section 1.8, policy promotes\n      of national activities directed toward                release of scientific and technical data.\n      safeguarding systems which process or\n      communicate sensitive information from\n      hostile exploitation.\xe2\x80\x9d\n  \xe2\x80\xa2   NSDD 42 (July 5, 1990) \xe2\x80\x9cestablishes initial\n      objectives, policies, and an organizational\n      structure to guide the conduct of activities to\n      secure national security systems from\n      exploitation.\xe2\x80\x9d\n             Federal Laws/Regulations\n  \xe2\x80\xa2   Freedom of Information Act (FOIA) of 1966,        \xe2\x80\xa2   NASA FOIA regulations and 14 CFR 1206,\n      while promoting release of information, the           \xe2\x80\x9cAvailability of Agency Records to Members\n      Act provides 9 exemptions and 3 special law           of the Public,\xe2\x80\x9d establish NASA policy for\n      enforcement exclusions. In 2001, agencies             release of Agency records.\n      were encouraged to carefully consider the\n      values of safeguarding national security,         \xe2\x80\xa2   NPR 1600.1, Section 5.24.2.1(c).(2-12),\n      enhancing the effectiveness of law                    clarifies FOIA exemptions to include\n      enforcement, protecting sensitive business            information determined to be unusually\n      information, and preserving personal privacy          sensitive by a designated NASA official, such\n      when determining whether information could            as Center maps, security measures for\n      be released.                                          infrastructure, and information that could\n                                                            constitute an indicator of U.S. government\n                                                            intentions, capabilities, operations, or\n                                                            activities or otherwise threaten operations\n                                                            security.\n           __________________________                             _________________________\n  \xe2\x80\xa2   Computer Security Act of 1987 defines             \xe2\x80\xa2   NPR 2810.1:\n      sensitive information and requires agencies to        o Appendix C, \xe2\x80\x9cGlossary,\xe2\x80\x9d provides a\n      identify computer systems that contain                     simpler definition of \xe2\x80\x9csensitive\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                                    15\n\x0c                                                                                                  APPENDIX C\n\n\n\n\nFederal and Selected Federal Agencies\xe2\x80\x99                       NASA SBU Requirements5\n         SBU Requirements4\n     sensitive information and to plan security and            information\xe2\x80\x9d than the one provided by\n     privacy for each system identified. Protection            the Computer Security Act.\n     means providing confidentiality, integrity,          o P.1, \xe2\x80\x9cPurpose,\xe2\x80\x9d and 1.1 \xe2\x80\x9cObjectives of\n     and/or availability.                                      NASA\xe2\x80\x99s IT Security Program,\xe2\x80\x9d discuss\n                                                               confidentiality, integrity, and\n                                                               availability.\n                                                          o 1.2.6 says everyone who uses\n                                                               information technology resources bears\n                                                               responsibility for ensuring that integrity,\n                                                               availability, and confidentiality are not\n                                                               compromised.\n           _________________________                            _________________________\n\xe2\x80\xa2    Homeland Security Act of 2002 mandates that      \xe2\x80\xa2   NPR 1600.1, 7.17.2.8, states that the\n     Federal agencies share relevant and                  Director, Security Management Division\n     appropriate homeland security information            shall monitor the threat status in the Agency\n     with other Federal agencies, defines                 and maintain close liaison with the\n     homeland security, and exempts critical              Department of Homeland Security (DHS) and\n     infrastructure information from disclosure           National-level intelligence and security\n     under FOIA.                                          agencies for timely and accurate threat\n                                                          information.\n          _________________________                             _________________________\n\xe2\x80\xa2    Arms Export Control/International Traffic in     \xe2\x80\xa2   NPR 1600.1, Appendix J, \xe2\x80\x9cNASA Foreign\n     Arms Regulations (ITAR); defines the United          Visitor Security/Technology Control Plan\n     States Munitions List                                Sample Template,\xe2\x80\x9d contains the\n                                                          Security/Technology Transfer Control Plan\n                                                          (STTCP), which is used to ensure that\n                                                          technology is protected in accordance with\n                                                          NASA policy and procedure, and in\n                                                          accordance with EAR and ITAR. Section 3\n                                                          contains materials that are to be used for a\n                                                          briefing on EAR and ITAR.\n          _________________________                             _________________________\n\xe2\x80\xa2    Export Administration Act/Export                     NPR 1600.1, Appendix J (3) -- see previous\n     Administration Regulations (EAR); specifies          narrative.\n     the Commerce Control List and the Missile\n     Technology Control Regime\n\n    Laws/Regulation/Agency Policy-Guidance\n\xe2\x80\xa2    Nuclear Nonproliferation Act                     \xe2\x80\xa2   NPR 2190.1, Section 4.4.1; addresses\n                                                          nuclear, missile, and chemical biological\n\xe2\x80\xa2    Nuclear Proliferation Prevention Act                 proliferation. Foreign partners and end-users\n                                                          of NASA exports must be screened for\n\xe2\x80\xa2    Iran Nonproliferation Act                            nuclear proliferation concerns, missile\n                                                          proliferation concerns, and chemical-\n                                                          biological proliferation concerns. The section\n                                                          refers to 15 CFR Part 740 for missile and\n                                                          nuclear screens and 15 CFR Part 742.2 for\n                                                          destinations of chemical-biological weapons\n\n\n\n\n16                                                                            REPORT NO. IG-06-010-R\n\x0cAPPENDIX C\n\n\n\n\n   Federal and Selected Federal Agencies\xe2\x80\x99                      NASA SBU Requirements5\n            SBU Requirements4\n                                                            proliferation concern.\n        _________________________                                 _________________________\n  \xe2\x80\xa2   National Defense Authorization Act for FY         \xe2\x80\xa2   NPR 2190.1\n      1991 - amends ITAR and EAR                            o Chapter 4, \xe2\x80\x9cExport Administration\n                                                                 Regulations (EAR) Procedures,\xe2\x80\x9d\n                                                                 describes license exceptions allowed and\n  \xe2\x80\xa2   National Defense Authorization Act for FY                  refer to 15 CFR 740, which provides\n      1999 - limits missile exports to China                     detailed requirements for using the\n                                                                 exceptions and warns that China has\n                                                                 missile technology projects.\n                                                            o Chapter 5, International Traffic in Arms\n                                                                 Regulations (ITAR) Procedures,\xe2\x80\x9d Use of\n                                                                 ITAR exemptions must be coordinated\n                                                                 with the Center Export Administrator or\n                                                                 the Headquarters Export Administrator.\n               Department of Defense\n  \xe2\x80\xa2   DoD 5200.1-R, Information Security                \xe2\x80\xa2   NPR 1600.1, Section 5.24.3, \xe2\x80\x9cMarking for\n      Program, Apps. C (Classified) and 3                   SBU,\xe2\x80\x9d states, \xe2\x80\x9cInformation designated as\n      (Controlled Unclassified): marking \xe2\x80\x9cFor               SBU will be sufficiently marked so that\n      Official Use Only\xe2\x80\x9d (FOUO) required at                 persons having access to it are aware of its\n      bottom of front cover, title page, first page,        sensitivity and protection requirements. The\n      and outside of the back cover. In addition,           lack of SBU markings on information known\n      pages that contain FOUO shall be marked at            by the holder to be SBU does not relieve the\n      the bottom. Material other than paper                 holder from safeguarding responsibilities.\n      documents shall bear markings that alert the          Where the SBU marking is not present on\n      holder or viewer. State Dept. designated              information known by the holder to be SBU,\n      Sensitive But Unclassified information - same         the holder of the information will protect it as\n      requirements as FOUO. Drug Enforcement                SBU. Information protected by statute or\n      Administration (DEA) sensitive information            regulation will be marked in accordance with\n      requires marking the top and bottom of the            the applicable guidance for that type of\n      front cover, title page, outside of back cover,       information. Information marked in\n      and each page containing DEA sensitive                accordance with such guidance need not be\n      information with \xe2\x80\x9cDEA Sensitive.\xe2\x80\x9d Similar             additionally marked SBU. If there is no\n      marking required for Unclassified Controlled          specific guidance or marking requirements,\n      Nuclear Information (UCNI).                           information designated SBU will be marked\n                                                            as follows:\n                                                            a. Prominently mark the top and bottom of\n                                                                the front cover, first page, title page, back\n                                                                cover, and each individual page\n                                                                containing SBU information with the\n                                                                caveat "SENSITIVE BUT\n                                                                UNCLASSIFIED (SBU)."\n                                                            b. Materials containing specific types of\n                                                                SBU information may be further marked\n                                                                with the applicable caveat, e.g., "LAW\n                                                                ENFORCEMENT SENSITIVE," in order\n                                                                to alert the reader of the type of\n                                                                information conveyed. Where the\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                                        17\n\x0c                                                                                 APPENDIX C\n\n\n\n\nFederal and Selected Federal Agencies\xe2\x80\x99        NASA SBU Requirements5\n         SBU Requirements4\n                                              sensitivity of the information warrants\n                                              additional access and dissemination\n                                              restrictions, the originator may cite\n                                              additional access and dissemination\n                                              restrictions. For example:\n                                              WARNING: This document is SENSITIVE\n                                              BUT UNCLASSIFIED (SBU). It is to be\n                                              controlled, stored, handled, transmitted,\n                                              distributed, and disposed of in accordance\n                                              with NASA policy relating to SBU\n                                              information. This information shall not be\n                                              distributed beyond the original addressees\n                                              without prior authorization of the\n                                              originator.\n                                         c.   SBU information being transmitted to\n                                              recipients outside of NASA, for example,\n                                              other federal agencies, state or local\n                                              officials, NASA contractors, etc., shall\n                                              include the following additional notice:\n                                              WARNING: This document is SENSITIVE\n                                              BUT UNCLASSIFIED (SBU). It contains\n                                              information that may be exempt from\n                                              public release under the Freedom of\n                                              Information Act (5 U.S.C. 552) or other\n                                              applicable laws or restricted from\n                                              disclosure based on NASA policy. It is to\n                                              be controlled, stored, handled,\n                                              transmitted, distributed, and disposed of\n                                              in accordance with NASA policy relating\n                                              to SBU information and is not to be\n                                              released to the public or other personnel\n                                              who do not have a valid "need-to-know"\n                                              without prior approval of an authorized\n                                              NASA official (see NPR 1600.1).\n                                         d.   Computer storage media, i.e., disks, tapes,\n                                              removable drives, memory sticks, etc.\n                                              containing SBU information will be\n                                              marked "SENSITIVE BUT\n                                              UNCLASSIFIED."\n                                         e.   Portions of a classified document, i.e.,\n                                              subjects, titles, paragraphs, and\n                                              subparagraphs that contain only SBU\n                                              information will be marked with the\n                                              abbreviation (SBU).\n                                         f.   Individual portion markings on a\n                                              document that contains no other\n                                              designation are not required.\n       _________________________                _________________________\n\n\n\n\n18                                                           REPORT NO. IG-06-010-R\n\x0cAPPENDIX C\n\n\n\n\n   Federal and Selected Federal Agencies\xe2\x80\x99                      NASA SBU Requirements5\n            SBU Requirements4\n  \xe2\x80\xa2   DOD 5400.7R, DOD FOIA Program provides            \xe2\x80\xa2   14 CFR 1206 NASA FOIA regulations,\n      guidance on implementing FOIA, describes              \xe2\x80\x9cAvailability of Agency Records to Members\n      safeguards to protect sensitive information,          of the Public,\xe2\x80\x9d establishes the policies and\n      DOD exemptions to FOIA, markings, and                 procedures for release of NASA records.\n      how to disseminate and transmit.\n\n  \xe2\x80\xa2   03-CORR-017, FOIA Requests for Critical           \xe2\x80\xa2   NPR 1600.1, Section 5.24.6, \xe2\x80\x9cStorage,\n      Infrastructure Information (March 2003)               Access, Disclosure, Protection, Transmittal,\n      expands FOIA exemption 3 to cover critical            and Destruction of SBU,\xe2\x80\x9d provides minimum\n      infrastructure information (applies to DHS,           requirements for safeguarding SBU\n      not to DOD).                                          information.\n\n    Laws/Regulation/Agency Policy-Guidance\n  \xe2\x80\xa2  DOD Directive 5230.25, Withholding                 \xe2\x80\xa2   14 CFR 1206, Subpart 5, authorizes the\n     Unclassified Technical Data, states that the           Associate Deputy Administrator or designee,\n     Secretary of Defense may withhold from                 after consulting with the General Counsel, to\n     public disclosure technical data with military         make final determinations about whether\n     or space applications unless regulations               requested records will be made available or\n     authorize the export of such data.                     withheld from disclosure.\n          _________________________                               _________________________\n  \xe2\x80\xa2 10 U.S.C. 130, Authority to Withhold from           \xe2\x80\xa2   No similar law that applies to NASA was\n     Public Disclosure Certain Technical Data               identified.\n          _________________________                               _________________________\n  \xe2\x80\xa2 32 CFR 250, \xe2\x80\x9cWithholding of Unclassified            \xe2\x80\xa2   No similar law that applies to NASA\n     Technical Data from Public Disclosure,\xe2\x80\x9d                identified. However, NPR 2200.2B, Section\n     implements 10 U.S.C. 130.                              4.2.2, \xe2\x80\x9cProtection of Certain STI\n                                                            Information,\xe2\x80\x9d warns that certain types of\n                                                            information must be protected from public\n                                                            disclosure (national security-classified,\n                                                            export-controlled, personal information\n                                                            subject to the Privacy Act, copyrighted\n                                                            information, and documents disclosing\n                                                            inventions). Refer questions to NASA\n                                                            Headquarters or Center Patent or Intellectual\n                                                            Property Counsel and the Export Control\n                                                            Administrator.\n            _________________________                             _________________________\n  \xe2\x80\xa2   10 U.S.C. 128, Physical Protection of Special     \xe2\x80\xa2   No similar law that applies to NASA was\n      Nuclear Material: Limitation on                       identified. However, NPR 7120.5C, Section\n      Dissemination of Unclassified Information,            3.2.1.2.i, \xe2\x80\x9cComplete a Safety and Mission\n      states that the Secretary of Defense must             Success Plan,\xe2\x80\x9d provides requirements for\n      prohibit the unauthorized dissemination of            obtaining approval to launch radioactive\n      unclassified information pertaining to security       materials.\n      measures, security plans, procedures, and\n      equipment for the physical protection of          \xe2\x80\xa2   NPR 2190.1, Section 4.4.1, requires foreign\n      special nuclear material.                             partners and end-users of NASA exports to\n                                                            be screened for nuclear, missile, and chemical\n                                                            biological proliferation concerns. Policy\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                                     19\n\x0c                                                                                                 APPENDIX C\n\n\n\n\nFederal and Selected Federal Agencies\xe2\x80\x99                       NASA SBU Requirements5\n         SBU Requirements4\n                                                          refers to 15 CFR 740 and 742.2.\n         _________________________                             _________________________\n\xe2\x80\xa2    32 CFR Part 223 implements 10 U.S.C. 128.        \xe2\x80\xa2   No similar regulation that applies to NASA\n                                                          was identified.\n               Department of Energy\n\xe2\x80\xa2    Safeguards & Security Glossary of Terms          \xe2\x80\xa2   NPR 2810.1 Appendix C, provides a simpler\n     defines \xe2\x80\x9cSensitive Unclassified Information\xe2\x80\x9d         definition of \xe2\x80\x9csensitive information\xe2\x80\x9d than the\n     and \xe2\x80\x9cnational security\xe2\x80\x9d and \xe2\x80\x9cgovernmental            definition provided by the Computer Security\n     interests\xe2\x80\x9d as used in the definition.                Act.\n\n\xe2\x80\xa2    Directives Management Document for               \xe2\x80\xa2   NPR 1600.1 Chapter 10; \xe2\x80\x9cGlossary of Terms,\n     Proposed DOE O471.X, Identifying                     Abbreviations, and Acronyms,\xe2\x80\x9d defines\n     Information as FOUO, directs DOE to                  Sensitive But Unclassified (SBU) information\n     establish a program to identify and mark             or material determined to have special\n     sensitive unclassified information that may be       protection requirements to preclude\n     exempt from FOIA disclosure as For Official          unauthorized disclosure to avoid\n     Use Only (FOUO). [see DoE O 471.2A                   compromises, risks to facilities, projects or\n     below.]                                              programs, threat to the security and/or safety\n                                                          of the source of information, or to meet\n                                                          access restrictions established by laws,\n                                                          directives, or regulations: ITAR, EAR,\n                                                          Militarily Critical Technologies List, FAR,\n                                                          Privacy Act, Proprietary, FOIA, UCNI,\n                                                          NASA Developed Software, STI, source\n                                                          selection and bid and proposal information,\n                                                          and inventions.\n          _________________________                            _________________________\n\xe2\x80\xa2    42 U.S.C. 2168, Dissemination of                 \xe2\x80\xa2   NPR 1600.1 Section 5.25, \xe2\x80\x9cUse, Protection\n     Unclassified Information, provides a                 and Accountability of Department of Energy\n     definition of Unclassified Controlled Nuclear        (DOE) Unclassified Controlled Nuclear\n     Information (UCNI) and provides civil and            Information (UNCI),\xe2\x80\x9d defines UCNI, requires\n     criminal penalties.                                  access only by personnel with a need-to-\n                                                          know, prohibits access to foreign nationals\n                                                          without approval of the DOE, requires storing\n                                                          to prevent unauthorized disclosure, and\n                                                          encryption for electronic transmission.\n\n                                                      \xe2\x80\xa2   NPR 2190.1 Section 4.4.1 addresses nuclear,\n                                                          missile, and chemical biological proliferation.\n                                                          Foreign partners and end-users of NASA\n                                                          exports must be screened for nuclear\n                                                          proliferation concerns, missile proliferation\n                                                          concerns, and chemical-biological\n                                                          proliferation concerns. The section refers to\n                                                          15 CFR Part 740 for missile and nuclear\n                                                          screens and to 15 CFR Part 742.2 for\n                                                          destinations of chemical-biological weapons\n                                                          proliferation concern.\n\n\n\n\n20                                                                           REPORT NO. IG-06-010-R\n\x0cAPPENDIX C\n\n\n\n\n   Federal and Selected Federal Agencies\xe2\x80\x99                     NASA SBU Requirements5\n            SBU Requirements4\n            _________________________                           _________________________\n  \xe2\x80\xa2   10 CFR Part 1017, \xe2\x80\x9cIdentification and            \xe2\x80\xa2   No similar NASA regulations were identified.\n      Protection of Unclassified Controlled Nuclear        However, NPR 1600.1, Section 5.25.3.1,\n      Information,\xe2\x80\x9d and DOE O 471.2A, \xe2\x80\x9cDOE                 requires markings per DOE.\n      Information Security Program Directive,\xe2\x80\x9d\n      state that documents containing UCNI must\n      be marked conspicuously as \xe2\x80\x9cNot for Public\n      Dissemination\xe2\x80\x9d prior to transmitting or upon\n      retirement. Access is granted on a need-to-\n      know basis. Documents must be physically\n      protected. Provides civil and criminal\n      penalties.\n          Nuclear Regulatory Commission\n  \xe2\x80\xa2   COMSECY-02-0015, Commission Action               \xe2\x80\xa2   NPR 1600.1 Section 5.25, \xe2\x80\x9cUse, Protection,\n      Memo: Withholding Sensitive Homeland                 and Accountability of Department of Energy\n      Security Information from the Public - defines       (DOE) Unclassified Controlled Nuclear\n      sensitive homeland security information              Information (UNCI),\xe2\x80\x9d defines UCNI, requires\n      based on draft DHS language not made                 access only by personnel with a need-to-\n      public. Generally, information generated by          know, prohibits access to foreign nationals\n      the NCR, its licensees, or contractors will be       without approval of the DOE, requires storing\n      withheld if its release could provide a clear        to prevent unauthorized disclosure, and\n      and significant benefit to an adversary in a         encryption for electronic transmission.\n      potential attack.\n\n               Department of State\n  \xe2\x80\xa2   Volume 12, Foreign Affairs Manual 540,           \xe2\x80\xa2   NPR 1600.1, Chapter 10; \xe2\x80\x9cGlossary of\n      \xe2\x80\x9cScope,\xe2\x80\x9d defines SBU.                                Terms, Abbreviations, and Acronyms,\xe2\x80\x9d\n                                                           defines Sensitive But Unclassified (SBU)\n                                                           information or material determined to have\n                                                           special protection requirements to preclude\n                                                           unauthorized disclosure to avoid\n                                                           compromises, risks to facilities, projects or\n                                                           programs, threat to the security and/or safety\n                                                           of the source of information, or to meet\n                                                           access restrictions established by laws,\n                                                           directives, or regulations: ITAR, EAR,\n                                                           Militarily Critical Technologies List, FAR,\n                                                           Privacy Act, Proprietary, FOIA, UCNI,\n                                                           NASA Developed Software, STI, source\n                                                           selection and bid and proposal information,\n                                                           and inventions.\n           _________________________                            _________________________\n  \xe2\x80\xa2   Volume 12, Foreign Affairs Manual 542,           \xe2\x80\xa2   NPR 1600.1 Section 5.24.1.2, SBU has\n      \xe2\x80\x9cImplementation,\xe2\x80\x9d changes \xe2\x80\x9cLimited Official          previously been designated as For Official\n      Use\xe2\x80\x9d to SBU.                                         Use Only.\n           _________________________                            _________________________\n                                                                         Export Control\n  \xe2\x80\xa2   Volume 12 Foreign Affairs Manual 543,            \xe2\x80\xa2   NPR 2190.1, Section P.1, \xe2\x80\x9cPurpose,\xe2\x80\x9d\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                                    21\n\x0c                                                                                       APPENDIX C\n\n\n\n\nFederal and Selected Federal Agencies\xe2\x80\x99              NASA SBU Requirements5\n         SBU Requirements4\n     \xe2\x80\x9cAccess, Dissemination and Release,\xe2\x80\x9d       provides guidance, instructions, and\n     addresses distribution restriction.        responsibilities for all NASA employees and\n                                                support contractors engaged in activities that\n                                                involve the transfer of commodities,\n                                                software, or technologies to foreign\n                                                individuals or organizations.\n\n                                                Scientific and Technical Information (STI)\n                                            \xe2\x80\xa2    NPR 2200.2B, Section P.1, \xe2\x80\x9cPurpose,\xe2\x80\x9d\n                                                 identifies requirements for approving,\n                                                 publishing, and disseminating STI.\n\n                                                               Inventions\n                                            \xe2\x80\xa2   NPR 2200.2B, Section 4.2.2.2 states that\n                                                information that is otherwise approved for\n                                                public release may be withheld if it discloses\n                                                an invention.\n\n                                                              Privacy Act\n                                            \xe2\x80\xa2   14 CFR 1206, \xe2\x80\x9cAvailability of Agency\n                                                Records to Members of the Public,\xe2\x80\x9d\n                                                establishes NASA policy for release of\n                                                Agency records.\n\n                                            \xe2\x80\xa2   NPD 1382.17G, Section 1.e.4, prohibits\n                                                NASA employees and contractors from\n                                                disclosing any information in identifiable\n                                                form without the written consent of the\n                                                person to whom it pertains.\n\n                                            \xe2\x80\xa2   NPR 1450.10C, Appendix C, \xe2\x80\x9cPrivacy Act\n                                                Correspondence,\xe2\x80\x9d requires that Privacy Act\n                                                correspondence be safeguarded according to\n                                                NPR 1382.17.\n\n                                                              Procurement\n                                            \xe2\x80\xa2   FAR Section 15.207, \xe2\x80\x9cHandling proposals\n                                                and information\xe2\x80\x9d states that proposals shall\n                                                be safeguarded from unauthorized disclosure\n                                                throughout the source selection process.\n                                                Information received in response to a request\n                                                for proposal shall be safeguarded adequately\n                                                from unauthorized disclosure.\n\n                                            \xe2\x80\xa2   NASA FAR Supplement (NFS) Section\n                                                1803.104-4, \xe2\x80\x9cDisclosure, Protection, and\n                                                Marking of Contractor Bid or Proposal\n                                                Information and Source Selection\n\n\n\n\n22                                                                 REPORT NO. IG-06-010-R\n\x0cAPPENDIX C\n\n\n\n\n   Federal and Selected Federal Agencies\xe2\x80\x99          NASA SBU Requirements5\n            SBU Requirements4\n                                                Information\xe2\x80\x9d states that only Government\n                                                employees serving in certain positions are\n                                                authorized access to propriety or source\n                                                selection information but only to the extent\n                                                necessary to perform their official duties.\n\n                                            \xe2\x80\xa2   Procurement Information Circular (PIC)\n                                                03-03, \xe2\x80\x9cScientific and Technical\n                                                Information,\xe2\x80\x9d provides guidance on treating\n                                                STI produced under research and\n                                                development contracts.\n\n                                                                Security\n                                            \xe2\x80\xa2   NPR 1600.1, Section 5.24.4,\n                                                \xe2\x80\x9cResponsibilities,\xe2\x80\x9d states that officers and\n                                                employees designating information or\n                                                materials as SBU and those receiving\n                                                materials so marked shall be responsible for\n                                                properly safeguarding the information\n                                                contained therein.\n\n                                                           Counterintelligence\n                                            \xe2\x80\xa2   NPD 1660.1, \xe2\x80\x9cNASA Counterintelligence\n                                                (CI) Policy,\xe2\x80\x9d Section 1.3, \xe2\x80\x9cResponsibilities,\xe2\x80\x9d\n                                                makes the Assistant Administrator for\n                                                Security and Program Protection responsible\n                                                for the NASA CI Program.\n\n                                                                Software\n                                            \xe2\x80\xa2   NPR 7500.1, \xe2\x80\x9cNASA Technology\n                                                Commercialization Process,\xe2\x80\x9d Section 4.2,\n                                                requires NASA employees and contractors to\n                                                report new technologies and innovations\n                                                (including software) as soon as possible after\n                                                conception to determine whether intellectual\n                                                property protection and patent application are\n                                                appropriate.\n\n                                            \xe2\x80\xa2   NPD 7500.2, NASA Technology\n                                                Commercialization Process,\xe2\x80\x9d Section 5,\n                                                \xe2\x80\x9cResponsibilities,\xe2\x80\x9d makes the NASA General\n                                                Counsel responsible for protecting\n                                                intellectual property rights and for ensuring\n                                                that transfer of NASA technology and\n                                                intellectual property through licensing\n                                                conforms with applicable laws, regulations,\n                                                and NASA policies.\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                         23\n\x0c                                                                                         APPENDIX C\n\n\n\n\nFederal and Selected Federal Agencies\xe2\x80\x99                NASA SBU Requirements5\n         SBU Requirements4\n                                               Small Business and Innovative Research (SBIR)\n                                                                    Data\n                                              \xe2\x80\xa2 NPR 2200.2B, Section 4.5.10.2, states that it\n                                                 is NASA policy to restrict all SBIR program\n                                                 reports from public disclosure for the period\n                                                 specified in the contract for SBIR data unless\n                                                 the contractor grants permission to publicly\n                                                 release the report sooner.\n\n                                                                      Other\n                                              \xe2\x80\xa2   NPR 1450.10C, \xe2\x80\x9cNASA Correspondence\n                                                  Management and Communications Standards\n                                                  and Style,\xe2\x80\x9d Chapter 6, \xe2\x80\x9cElectronic\n                                                  Communications,\xe2\x80\x9d states that sensitive but\n                                                  unclassified information may be sent using e-\n                                                  mail if it is encrypted.\n\n                                              \xe2\x80\xa2   NPR 1450.10C, Appendix C, states that\n                                                  correspondence containing any item of\n                                                  information subject to the Privacy Act that is\n                                                  removed from a system of records not under\n                                                  the control of a system manager or an\n                                                  authorized representative, is to be\n                                                  prominently identified as a record protected y\n                                                  the Privacy Act. NASA Form 1534, \xe2\x80\x9cThe\n                                                  Attached Material is Subject to the Privacy\n                                                  Act of 1974,\xe2\x80\x9d should be used as a cover sheet\n                                                  for the correspondence.\n\n                                              \xe2\x80\xa2   NPR 7120.5B, \xe2\x80\x9cNASA Program and Project\n                                                  Management Processes and Requirements,\xe2\x80\x9d\n                                                  makes program and project managers\n                                                  responsible for protecting information\n                                                  generated within their program.\n\n                                              \xe2\x80\xa2   NPR 2820.1C, \xe2\x80\x9cNASA Software Policies,\xe2\x80\x9d\n                                                  states NASA\xe2\x80\x99s policy regarding intellectual\n                                                  protection of software and the release of\n                                                  software is to (a) manage and protect\n                                                  software created by or for NASA as valuable\n                                                  intellectual property during all phases of the\n                                                  life cycle; and (b) establish procedures and\n                                                  requirements concerning the release of\n                                                  software created by or for NASA that will\n                                                  maximize its benefit to NASA, the U.S.\n                                                  public, and the U.S.\n         _________________________                      _________________________\n\xe2\x80\xa2    Volume 12, Foreign Affairs Manual 544,   \xe2\x80\xa2   NPR 1450.10C, \xe2\x80\x9cNASA Correspondence\n\n\n\n\n24                                                                   REPORT NO. IG-06-010-R\n\x0cAPPENDIX C\n\n\n\n\n   Federal and Selected Federal Agencies\xe2\x80\x99                     NASA SBU Requirements5\n            SBU Requirements4\n      \xe2\x80\x9cSBU Handling Procedures\xe2\x80\x9d discusses                  Management and Communications Standards\n      possible encryption.                                 and Style,\xe2\x80\x9d Chapter 6, states that sensitive but\n                                                           unclassified information may be sent using e-\n           _________________________                       mail if it is encrypted.\n  \xe2\x80\xa2   Volume 12 Foreign Affairs Manual 545,                      _________________________\n      \xe2\x80\x9cResponsibilities\xe2\x80\x9d gives a general warning of    \xe2\x80\xa2   NPR 1600.1, Section 5.24.8.2, states that\n      consequences for disclosing SBU                      sanctions [for noncompliance with the NPR\n      information.                                         section on SBU information] include, but are\n                                                           not limited to, warning notice, admonition,\n                                                           reprimand, suspension without pay, forfeiture\n           _________________________                       of pay, removal, and/or discharge.\n  \xe2\x80\xa2   Guidance for Drafting SBU Telegrams                        _________________________\n      describes how documents containing SBU           \xe2\x80\xa2   NPR 1450.10C; Section 6.6.1.2, states that\n      information should be labeled.                       telegrams are delivered by telephone or\n                                                           printed copy in a few hours to any location\n                                                           within the United States (except Hawaii) and\n            _________________________                      to Canada.\n  \xe2\x80\xa2   Volume 5 Foreign Affairs Manual 751.2,                     _________________________\n      \xe2\x80\x9cProhibitions When Using Email\xe2\x80\x9d states that      \xe2\x80\xa2   NPR 1450.10C, Section 6.2.3, states that e-\n      unclassified SBU e-mail may be transmitted           mail systems are not secure. Never use them\n      on the unclassified Intranet. SBU information        to transmit classified information even if it is\n      marked NOFORN (Not for Release to                    encrypted. However, SBU may be sent using\n      Foreign Nationals) or with other restricted          e-mail if it is encrypted.\n      distribution must be transmitted on the\n      classified Intranet. SBU e-mail may not be\n      transmitted over the Internet.\n\n           _________________________\n  \xe2\x80\xa2   Volume 12 Foreign Affairs Manual 660,                     _________________________\n      \xe2\x80\x9cCommunications Security (COMSEC)                \xe2\x80\xa2   NPR 2810.1, Section 4.11.2, provides\n      (SBU).\xe2\x80\x9d The Department of State would not            detailed guidance for using encryption for\n      release a copy of this document to the Federal       classified and unclassified information.\n      Research Division of the Library of Congress.\n                                                       \xe2\x80\xa2   NPR 1600.1, Section 5.15, requires users of\n                                                           COMSEC material to follow the NASA\n                                                           Central Office of Record Standard Operating\n                                                           Procedures (CSOP) and the National Security\n                                                           Telecommunications Systems Security\n           _________________________                       Instruction (NSTSSI) 4005.\n                                                                _________________________\n  \xe2\x80\xa2   Volume 3 Foreign Affairs Manual 4300,                                 Security\n      \xe2\x80\x9cDisciplinary Action\xe2\x80\x9d contains the following     \xe2\x80\xa2   NPR 1600.1, Section 1.4, \xe2\x80\x9cViolations of\n      subsections that deal with various aspects of        Security Requirements,\xe2\x80\x9d states that anyone\n      disciplinary action: 4310 Disciplinary               who willfully violates, attempts to violate, or\n      Action-General; 4320 Disciplinary Action             conspires to violate any regulation or order\n      Common Practices; 4330 Admonishment;                 involving the NASA Security Program is\n      4340 Reprimand; 4350 Suspension; 4360                subject to disciplinary action up to and\n      Separation for Cause; 4370 List of Offenses          including termination of employment and/or\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                                      25\n\x0c                                                                                                 APPENDIX C\n\n\n\n\nFederal and Selected Federal Agencies\xe2\x80\x99                       NASA SBU Requirements5\n         SBU Requirements4\n     Subject to Disciplinary Action Foreign               possible prosecution under 18 U.S.C. 799 that\n     Services. No one subsection details specific         provides for fines or imprisonment for not\n     sanctions or procedures for responding to the        more than 1 year, or both..\n     improper or unauthorized release of SBU;\n     however, all subsections are relevant since      \xe2\x80\xa2   NPR 1600.1, Section 5.24.8.1, addresses\n     they describe the sanctions and procedures for       administrative violations and sanctions for\n     responding to the improper or unauthorized           employees and non-employees if they\n     release or handling of information generally.        disclose information designated as SBU\n                                                          without proper authorization.\n\n                                                      \xe2\x80\xa2   NPR 1600.1 Section 5.24.8.2, states that\n                                                          sanctions [for noncompliance with the NPR\n                                                          section on SBU information] include, but are\n                                                          not limited to, warning notice, admonition,\n                                                          reprimand, suspension without pay, forfeiture\n                                                          of pay, removal, and/or discharge.\n\n                                                      \xe2\x80\xa2   NPR 1600.1 Section 5.24.8.3, states: "Such\n                                                          sanctions may be imposed, as appropriate,\n                                                          upon any person determined to be responsible\n                                                          for a violation of disclosure restrictions in\n                                                          accordance with applicable law and\n                                                          regulations, regardless of office or level of\n                                                          employment."\n\n                                                      \xe2\x80\xa2   NPR 1600.1 Section 5.22.2, states: "CNSI\n                                                          [classified national security information] and\n                                                          SBU are always the property of the United\n                                                          States Government. Individuals who remove\n                                                          SBU or CNSI may be subject to disciplinary\n                                                          action up to and including prosecution under\n                                                          Title 18 and Title 50 U.S.C. and other\n                                                          applicable laws."\n\n                                                                        Procurement\n                                                      \xe2\x80\xa2   FAR 3.101-3(a) states that agencies are\n                                                          required by Executive Order 11222\n                                                          (May 8 1965) and 5 CFR 735 to prescribe\n                                                          "Standards of Conduct" that contain agency-\n                                                          authorized exceptions to 3.101-2,\n                                                          \xe2\x80\x9cSolicitation and Acceptance of Gratuities by\n                                                          Government Personnel,\xe2\x80\x9d and disciplinary\n                                                          measures for persons violating the standards\n                                                          of conduct.\n                                                      \xe2\x80\xa2   14 CFR 1207, which refers to 5 CFR 2635,\n                                                          requires employees to comply with\n                                                          restrictions and prohibitions on disclosure of\n\n\n\n\n26                                                                           REPORT NO. IG-06-010-R\n\x0cAPPENDIX C\n\n\n\n\n   Federal and Selected Federal Agencies\xe2\x80\x99           NASA SBU Requirements5\n            SBU Requirements4\n                                                \xe2\x80\xa2   certain sensitive Government information\n                                                    under the FOIA and Privacy Act,\n                                                \xe2\x80\xa2   proprietary and confidential information,\n                                                    and\n                                                \xe2\x80\xa2   certain procurement information.\n\n                                            \xe2\x80\xa2   FAR 3.104-8, \xe2\x80\x9cCriminal and civil penalties\n                                                and further administrative remedies,\xe2\x80\x9d states\n                                                that criminal and civil penalties and\n                                                administrative remedies, may apply to\n                                                conduct that violates the Procurement\n                                                Integrity Act. An official who knowingly\n                                                fails to comply with the requirements of 3-\n                                                104-3 is subject to the penalties and\n                                                administrative action set forth in subsection\n                                                27(e) of the Act.\xe2\x80\x9d\n\n                                            \xe2\x80\xa2   NFS 1852.235-73 requires contractors to\n                                                review for publication or dissemination of the\n                                                data for conformance with laws and\n                                                regulations governing its distribution,\n                                                including intellectual property rights, export\n                                                control, national security, and other\n                                                requirements, but does not stipulate\n                                                consequences for inappropriate dissemination.\n\n                                                                Proprietary\n                                            \xe2\x80\xa2   NPR 1600.1 addresses proprietary\n                                                information and consequences for\n                                                noncompliance with the NPR (see above). In\n                                                addition, 18 U.S.C. 1832 states that\n                                                organization who steals trade secrets can be\n                                                imprisoned not more than 10 years and/or\n                                                fined up to $5,000,000.\n\n                                                              Export Control\n                                            \xe2\x80\xa2   NPR 2190.1, \xe2\x80\x9cNASA Export Control\n                                                Program,\xe2\x80\x9d Section 8.1, \xe2\x80\x9cGeneral,\xe2\x80\x9d explains\n                                                that noncompliance with export control laws\n                                                and regulations could result in criminal, civil,\n                                                or administrative penalties. Section 8.3.1\n                                                refers to specific ITAR and EAR regulations\n                                                in the Code of Federal Regulations that\n                                                address penalties.\n\n                                            \xe2\x80\xa2   NPR 1600.1 provides for violating ITAR and\n                                                EAR regulations, both criminal and civil\n                                                penalties (criminal - fines up to $1 million\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                           27\n\x0c                                                                                     APPENDIX C\n\n\n\n\nFederal and Selected Federal Agencies\xe2\x80\x99          NASA SBU Requirements5\n         SBU Requirements4\n                                             and 10 years imprisonment; civil - fine up to\n                                             $100 thousand).\n\n                                               Scientific and Technical Information\n                                         \xe2\x80\xa2   NPR 2200.2B, "Requirements for\n                                             Documentation, Approval, and Dissemination\n                                             of NASA Scientific and Technical\n                                             Information (STI)" Section 4.2.2., \xe2\x80\x9cProtection\n                                             of certain STI Information,\xe2\x80\x9d states that certain\n                                             types of information are required to be\n                                             protected from public disclosure. FOIA\n                                             provides guidance regarding categories of\n                                             information that are exempt from mandatory\n                                             release under FOIA. Dissemination of\n                                             information may also be restricted under other\n                                             laws, regulations, or policy. Restricted-access\n                                             information includes export-controlled\n                                             information, personal information subject to\n                                             the Privacy Act, proprietary information of\n                                             the Government or others, copyrighted\n                                             information, and documents disclosing\n                                             inventions. In addition, certain types of\n                                             information are further restricted from\n                                             dissemination via NAS public websites. With\n                                             the exception of addressing the consequences\n                                             for releasing STI information that is subject to\n                                             export control requirements, NPR 2200.2B\n                                             does not address the consequences for\n                                             releasing STI that should be protected from\n                                             public disclosure.\n\n                                                             Inventions\n                                         \xe2\x80\xa2   NPR 2200.2B, Section 4.5.16, \xe2\x80\x9cDocuments\n                                             Disclosing Inventions,\xe2\x80\x9d says that information\n                                             that is otherwise approved for public release\n                                             may be withheld if it discloses an invention.\n                                             (See STI above.) NPR 1600.1, Section 1.4.2,\n                                             says that anyone who willfully violates,\n                                             attempts to violate, or conspires to violate any\n                                             regulation or order involving the NASA\n                                             Security Program is subject to disciplinary\n                                             action up to and including termination of\n                                             employment and/or possible prosecution\n                                             under 18 U.S.C. 799, that provides for fines\n                                             or imprisonment for not more than 1 year, or\n                                             both.\n\n\n\n\n28                                                               REPORT NO. IG-06-010-R\n\x0cAPPENDIX C\n\n\n\n\n   Federal and Selected Federal Agencies\xe2\x80\x99          NASA SBU Requirements5\n            SBU Requirements4\n                                                                 Software\n                                            \xe2\x80\xa2   NPR 2210.1A, "External Release of NASA\n                                                Software," Section 3.6.1, requires compliance\n                                                with export control laws and regulations,\n                                                which stipulate consequences\n\n                                                                SBIR Data\n                                            \xe2\x80\xa2   NASA Federal Acquisitions Regulation\n                                                (FAR), Supplement (NFS) contract clause\n                                                1852.235-73, requires contractors to review\n                                                publication or dissemination of the data for\n                                                conformance with laws and regulations\n                                                governing its distribution, including\n                                                intellectual property rights, export control,\n                                                national security, other requirements but does\n                                                not stipulate consequences for inappropriate\n                                                dissemination.\n\n                                                   FOIA and Privacy Act Information\n                                            \xe2\x80\xa2   14 CFR 1212.800 states: "Failure to comply\n                                                with the requirements of the Privacy Act and\n                                                this part could subject NASA to civil suit\n                                                under the provisions of 5 U.S.C. 552a(g)."\n\n                                            \xe2\x80\xa2   14 CFR 1212.801 states: "(a) A NASA officer\n                                                or employee may be subject to criminal\n                                                penalties under the provisions of 5 U.S.C.\n                                                552a(i) (1) and (2). (1) Section 552a(i)(1).\n                                                Any officer or employee of an agency, who\n                                                by virtue of employment or official position,\n                                                has possession of, or access to, agency\n                                                records which contain individually\n                                                identifiable information the disclosure of\n                                                which is prohibited by this section or by rules\n                                                or regulations established thereunder, and\n                                                who knowing that disclosure of the specific\n                                                material is so prohibited, willfully discloses\n                                                the material in any manner to any person or\n                                                agency not entitled to receive it, shall be\n                                                guilty of a misdemeanor and fined not more\n                                                than $5,000. (2) Section 552a(i)(2). Any\n                                                officer or employee of any agency who\n                                                willfully maintains a system of records\n                                                without meeting the notice requirements of\n                                                subsection (e)(4) of this section shall be guilty\n                                                of a misdemeanor and fined not more than\n                                                $5,000. (3) These two provisions apply to\n\n\n\n\n  REPORT NO. IG-06-010-R                                                                            29\n\x0c                                                                               APPENDIX C\n\n\n\n\nFederal and Selected Federal Agencies\xe2\x80\x99      NASA SBU Requirements5\n         SBU Requirements4\n                                         NASA civil service employees as well as\n                                         those employees of a NASA contractor with\n                                         responsibilities for maintaining a Privacy Act\n                                         system of records. (b) Section 552a(i)(3). Any\n                                         person who knowingly and willfully requests\n                                         or obtains any record concerning an\n                                         individual from an agency under false\n                                         pretenses shall be guilty of a misdemeanor\n                                         and fined not more than $5,000.\n\n\n\n\n30                                                          REPORT NO. IG-06-010-R\n\x0cAPPENDIX D\n\n\n\n\n                           MANAGEMENT COMMENTS\n\n\n\n\n  REPORT NO. IG-06-010-R                    31\n\x0c               APPENDIX D\n\n\n\n\n32   REPORT No. IG-06-010-R\n\x0cAPPENDIX E\n\n\n\n\n                                                        Report Distribution\n\n\nNational Aeronautics and Space Administration (NASA)\n\n  Administrator\n  Deputy Administrator\n  Chief of Staff\n    Mission Support Offices\n  Chief Information Officer\n  Assistant Administrator, Institutions and Management, Security and Program Protection\n  Director, Institutions and Management, Infrastructure and Administration, Management\n    Systems Division\n\nNASA Centers\n\n  Director, Goddard Space Flight Center\n  Director, Jet Propulsion Laboratory\n  Director, Lyndon B. Johnson Space Center\n  Director, John F. Kennedy Space Center\n     Chief Counsel, John F. Kennedy Space Center\n  Director, George C. Marshall Space Flight Center\n\n    Note: A redacted version of this report was distributed to non-NASA organizations\n    and individuals and members of Congress. Recipients of the redacted version may\n   request the full report from the NASA IG Counsel at 202-358-2575 of from the NASA\n                            IG Executive Officer at 202-358-0615.\n\nNon-NASA Organizations and Individuals\n\n  Office of Management and Budget\n    Deputy Associate Director, Energy and Science Division\n        Branch Chief, Science and Space Programs Branch\n  Government Accountability Office\n    Director, Defense, State, and NASA Financial Management, Office of Financial\n        Management and Assurance\n    Director, NASA Issues, Office of Acquisition and Sourcing Management\n\n\n\n\n  REPORT NO. IG-06-010-R                                                              33\n\x0c                                                                       APPENDIX E\n\n\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\n\n Senate Committee on Appropriations\n   Senate Subcommittee on Commerce, Justice, and Science\n Senate Committee on Commerce, Science, and Transportation\n   Senate Subcommittee on Science and Space\n Senate Committee on Homeland Security and Governmental Affairs\n House Committee on Appropriations\n   House Subcommittee on Science, State, Justice, and Commerce\n House Committee on Government Reform\n   House Subcommittee on Government Management, Finance, and Accountability\n House Committee on Science\n   House Subcommittee on Space and Aeronautics\n\n\n\n\n 34                                                       REPORT NO. IG-06-010-R\n\x0cMajor Contributors to the Report:\n   Earl Baker, Attorney Advisor\n   Lamar Brickhouse, Auditor\n   Ari Elias-Bachrach, IT Specialist\n   Wesley Pippenger, Management Analyst\n   Carol St. Armand, Auditor\n   Janet Overton, Report Process Manager\n\n\n\n\n   REPORT NO. IG-06-010-R                  35\n\x0c                                                                                          MAY 9, 2006\n                                                                        REPORT NO. IG-06-010\n\n\n\n\n                                                                                OFFICE OF AUDITS\n\n                                                                OFFICE OF INSPECTOR GENERAL\n\n\n\n\nADDITIONAL COPIES\nContact the Assistant Inspector General for Auditing at 202-358-1232 for additional copies of this\nreport. Unrestricted audit reports by the NASA Inspector General\xe2\x80\x99s Office of Audits are available\nover the Internet at www.hq.nasa.gov/office/oig/hq/audits/reports/FY06/index.html.\n\nCOMMENTS ON THIS REPORT\nIn order to help us improve the quality of our products, if you wish to comment on the quality or\nusefulness of this report, please send your comments to Ms. Jacqueline White, Director of the Quality\nControl Division, at Jacqueline.White@nasa.gov or call 202-358-0203.\n\nSUGGESTIONS FOR FUTURE AUDITS\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for Auditing.\nIdeas and requests can also be mailed to:\n      Assistant Inspector General for Auditing\n      NASA Headquarters\n      Washington, DC 20546-0001\n\nNASA HOTLINE\nTo report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at 800-424-9183 or\n800-535-8134 (TDD). You may also write to the NASA Inspector General, P.O. Box 23089, L\xe2\x80\x99Enfant\nPlaza Station, Washington, DC 20026, or use http://www.hq.nasa.gov/office/oig/hq/hotline.html#form.\nThe identity of each writer and caller can be kept confidential, upon request, to the extent permitted\nby law.\n\x0c'